nydragon/nix-da
1
Fork 0
Code Issues Pull requests Activity Actions 1

feat(nginxproxymanager): add container, raptus to tailnet and remove ssh from raptus

Browse source
This commit is contained in:
Nydragon 2024-10-08 02:41:00 +02:00
parent 2a7a774d4e
commit 9e2efdf6b3
Signed by: nydragon
SSH key fingerprint: SHA256:iQnIC12spf4QjWSbarmkD2No1cLMlu6TWoV7K6cYF5g
17 changed files with 227 additions and 55 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
hosts/brontes/configuration.nix
View file

@ -1,15 +1,8 @@
# vim:fileencoding=utf-8:foldmethod=marker # vim:fileencoding=utf-8:foldmethod=marker
{ { pkgs, username, ... }:
pkgs,
inputs,
username,
...
}:
{ {
imports = [ imports = [
# Include the results of the hardware scan.
./hardware-configuration.nix ./hardware-configuration.nix
../../modules
./home.nix ./home.nix
]; ];
@ -20,7 +13,10 @@
age.secrets.rustypaste = { age.secrets.rustypaste = {
file = ../../secrets/rustypaste.age; file = ../../secrets/rustypaste.age;
mode = "440";
group = "wheel";
}; };
#: Power Consumption {{{ #: Power Consumption {{{
services.logind = { services.logind = {
powerKey = "hibernate"; powerKey = "hibernate";

36
hosts/default.nix
View file

@ -1,41 +1,49 @@
{ inputs, withSystem, ... }: { inputs, withSystem, ... }:
let let
inherit (inputs.self.lib.my) mkSystem; inherit (inputs.self.lib.my) mkSystem;
inherit (inputs.self.lib) listToAttrs;
mkSystem' = sys: {
name = sys.hostname;
value = mkSystem ({ inherit withSystem; } // sys);
};
in in
{ {
flake.nixosConfigurations = { flake.nixosConfigurations = listToAttrs [
marr = mkSystem { (mkSystem' {
inherit withSystem;
hostname = "marr"; hostname = "marr";
system = "x86_64-linux"; system = "x86_64-linux";
extraModules = [ inputs.agenix.nixosModules.default ]; extraModules = [ inputs.agenix.nixosModules.default ];
}; })
brontes = mkSystem { (mkSystem' {
inherit withSystem;
hostname = "brontes"; hostname = "brontes";
system = "x86_64-linux"; system = "x86_64-linux";
extraModules = [ inputs.agenix.nixosModules.default ]; extraModules = [ inputs.agenix.nixosModules.default ];
}; })
shan = mkSystem { (mkSystem' {
inherit withSystem;
hostname = "shan"; hostname = "shan";
system = "x86_64-linux"; system = "x86_64-linux";
extraModules = [ extraModules = [
inputs.disko.nixosModules.disko inputs.disko.nixosModules.disko
inputs.agenix.nixosModules.default inputs.agenix.nixosModules.default
]; ];
}; })
raptus = mkSystem { (mkSystem' {
inherit withSystem;
hostname = "raptus"; hostname = "raptus";
system = "x86_64-linux"; system = "x86_64-linux";
extraModules = [ extraModules = [
inputs.disko.nixosModules.disko inputs.disko.nixosModules.disko
inputs.agenix.nixosModules.default inputs.agenix.nixosModules.default
]; ];
}; })
};
(mkSystem' {
hostname = "nihilus";
system = "aarch64-linux";
extraModules = [ ];
})
];
} }

1
hosts/marr/configuration.nix
View file

@ -9,7 +9,6 @@
{ {
imports = [ imports = [
./hardware-configuration.nix ./hardware-configuration.nix
../../modules
./home.nix ./home.nix
]; ];

23
hosts/raptus/configuration.nix
View file

@ -17,7 +17,6 @@ in
./rustypaste ./rustypaste
./forgejo ./forgejo
./headscale.nix ./headscale.nix
../../modules
]; ];
age.secrets = { age.secrets = {
@ -29,15 +28,21 @@ in
efiSupport = true; efiSupport = true;
efiInstallAsRemovable = true; efiInstallAsRemovable = true;
}; };
modules.services.tailscale = {
enable = true;
tags = [ "server" ];
extraFlags = [ "--accept-dns=false" ]; # Want to disable that since *server* can't access the private dns... for now
};
services.headscale.enable = true; services.headscale.enable = true;
networking.firewall = lib.mkForce { networking.firewall = lib.mkForce {
enable = true; enable = true;
allowedTCPPorts = [ allowedTCPPorts = [
80 # for acme challenges 80 # for acme challenges
443 443
3000 # forgejo ] ++ [ config.services.endlessh.port ];
8000 # rustypaste
] ++ config.services.openssh.ports ++ [ config.services.endlessh.port ];
}; };
age.identityPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; age.identityPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
@ -56,11 +61,6 @@ in
]; ];
}; };
services.openssh = {
enable = true;
ports = [ 56528 ];
};
services.endlessh = { services.endlessh = {
enable = true; enable = true;
port = 22; port = 22;
@ -71,10 +71,5 @@ in
pkgs.gitMinimal pkgs.gitMinimal
]; ];
users.users = {
root.openssh.authorizedKeys.keys = [ pubkeys.ny ];
ny.openssh.authorizedKeys.keys = [ pubkeys.ny ];
};
system.stateVersion = "24.11"; system.stateVersion = "24.11";
} }

29
hosts/raptus/headscale.nix
View file

@ -49,6 +49,35 @@ mkIf config.services.headscale.enable {
nameservers = [ nameservers = [
"100.64.0.4" "100.64.0.4"
]; ];
extra_records =
let
mkRecords = map (sub: {
name = "${sub}.ccnlc.eu";
type = "A";
value = "100.64.0.4";
});
in
[
{
name = "ccnlc.eu";
type = "A";
value = "100.64.0.4";
}
]
# Tailscale doesn't seem to support wildcard A/AAAA records
# - https://github.com/juanfont/headscale/issues/2159#issuecomment-2393406444
++ mkRecords [
"immich"
"adguard"
"nextcloud"
"kitchenowl"
"navidrome"
"subsonic"
"nextcloud"
"paperless"
"truenas"
"fritz"
];
}; };
}; };
}; };

14
hosts/shan/configuration.nix
View file

@ -9,7 +9,6 @@
imports = [ imports = [
(modulesPath + "/profiles/qemu-guest.nix") (modulesPath + "/profiles/qemu-guest.nix")
./disk-config.nix ./disk-config.nix
../../modules
./adguard.nix ./adguard.nix
]; ];
@ -27,10 +26,15 @@
}; };
modules = { modules = {
container.kitchenowl = { container = {
enable = true; kitchenowl = {
openFirewall = true; enable = true;
version = "v0.5.2"; openFirewall = true;
version = "v0.5.2";
};
nginxproxymanager = {
enable = true;
};
}; };
server = { server = {

1
modules/default.nix
View file

@ -24,5 +24,6 @@
./nix ./nix
./themes ./themes
./commons
]; ];
} }

5
options/container/default.nix
View file

@ -4,7 +4,10 @@ let
inherit (lib) mkIf mkEnableOption; inherit (lib) mkIf mkEnableOption;
in in
{ {
imports = [ ./kitchenowl ]; imports = [
./kitchenowl
./nginxproxymanager.nix
];
options.modules.container = { options.modules.container = {
enable = mkEnableOption "container support"; enable = mkEnableOption "container support";

2
options/container/kitchenowl/default.nix
View file

@ -11,7 +11,7 @@ let
in in
{ {
options.modules.container.kitchenowl = { options.modules.container.kitchenowl = {
enable = mkEnableOption "Whether to enable the kitchenowl container"; enable = mkEnableOption "kitchenowl container";
port = mkOption { port = mkOption {
type = port; type = port;
default = 82; default = 82;

129
options/container/nginxproxymanager.nix Normal file
View file

@ -0,0 +1,129 @@
{
lib,
config,
pkgs,
...
}:
let
inherit (lib) mkIf mkEnableOption mkOption;
inherit (lib.types) port;
cfg = config.modules.container.nginxproxymanager;
mkPortOption =
portNr: desc:
mkOption {
type = port;
default = portNr;
description = desc;
};
in
{
options.modules.container.nginxproxymanager = {
enable = mkEnableOption "Nginx Proxy Manager container";
ports = {
http = mkPortOption 80 "Port for http access";
https = mkPortOption 443 "Port for https access";
web = mkPortOption 81 "Port for the webpage";
};
};
config = mkIf cfg.enable {
modules.container.enable = true;
# Containers
virtualisation.oci-containers.containers."nginxproxymanager" = {
image = "jc21/nginx-proxy-manager:latest";
volumes = [
"nginx_letsencrypt:/etc/letsencrypt:rw"
"nginx_nginx:/data:rw"
];
ports = [
"${toString cfg.ports.http}:80/tcp"
"${toString cfg.ports.web}:81/tcp"
"${toString cfg.ports.https}:443/tcp"
];
log-driver = "journald";
extraOptions = [
"--network-alias=nginxproxymanager"
"--network=nginx_default"
];
};
#: Systemd services {{{
systemd = {
services = {
"podman-nginxproxymanager" = {
serviceConfig = {
Restart = lib.mkOverride 500 "always";
};
after = [
"podman-network-nginx_default.service"
"podman-volume-nginx_letsencrypt.service"
"podman-volume-nginx_nginx.service"
];
requires = [
"podman-network-nginx_default.service"
"podman-volume-nginx_letsencrypt.service"
"podman-volume-nginx_nginx.service"
];
partOf = [
"podman-compose-nginx-root.target"
];
wantedBy = [
"podman-compose-nginx-root.target"
];
};
# Networks
"podman-network-nginx_default" = {
path = [ pkgs.podman ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
ExecStop = "podman network rm -f nginx_default";
};
script = ''
podman network inspect nginx_default || podman network create nginx_default
'';
partOf = [ "podman-compose-nginx-root.target" ];
wantedBy = [ "podman-compose-nginx-root.target" ];
};
# Volumes
"podman-volume-nginx_letsencrypt" = {
path = [ pkgs.podman ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
};
script = ''
podman volume inspect nginx_letsencrypt || podman volume create nginx_letsencrypt
'';
partOf = [ "podman-compose-nginx-root.target" ];
wantedBy = [ "podman-compose-nginx-root.target" ];
};
"podman-volume-nginx_nginx" = {
path = [ pkgs.podman ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
};
script = ''
podman volume inspect nginx_nginx || podman volume create nginx_nginx
'';
partOf = [ "podman-compose-nginx-root.target" ];
wantedBy = [ "podman-compose-nginx-root.target" ];
};
};
targets."podman-compose-nginx-root" = {
unitConfig = {
Description = "Root target generated by compose2nix.";
};
wantedBy = [ "multi-user.target" ];
};
};
#: }}}
};
}

6
options/services/tailscale.nix
View file

@ -43,6 +43,11 @@ in
type = listOf str; type = listOf str;
default = [ "--ssh" ]; default = [ "--ssh" ];
}; };
extraFlags = mkOption {
type = listOf str;
default = [ ];
};
}; };
config = mkIf cfg.enable { config = mkIf cfg.enable {
@ -50,6 +55,7 @@ in
enable = true; enable = true;
extraUpFlags = concatLists [ extraUpFlags = concatLists [
cfg.defaultFlags cfg.defaultFlags
cfg.extraFlags
( (
mkIf cfg.tags != [ ] [ mkIf cfg.tags != [ ] [
"--advertise-tags" "--advertise-tags"

2
parts/lib/functions.nix
View file

@ -32,7 +32,7 @@ in
modules = [ modules = [
"${self}/hosts/${hostname}/configuration.nix" "${self}/hosts/${hostname}/configuration.nix"
"${self}/options" "${self}/options"
"${self}/modules/commons" "${self}/modules"
{ networking.hostName = hostname; } { networking.hostName = hostname; }
] ++ extraModules; ] ++ extraModules;
specialArgs = { specialArgs = {

BIN
secrets/adguard-dns-list.age
View file

Binary file not shown.

19
secrets/couchdb.age
View file

@ -1,10 +1,11 @@
age-encryption.org/v1 age-encryption.org/v1
-> ssh-ed25519 biwZXw Adz1IbWLQ7LnJlNGRlIhTQq0jJ0frIR+L0aGcE0d5nk -> ssh-ed25519 biwZXw M19MPetxrj5viO9n3YQ80hEObhyJg5IZnNycR3Wzqk4
xUGt5Us/cAU9JVeLv0Ia8peWZLct8YW9i+77IgiU2cI YBOWqQzb+zU8tSwEcrsr/ocPj6kzSly2wbJq0WK+gDM
-> ssh-ed25519 b3HlPA iVld+xe6mvJMzAvmjPOTahcUSqOE0uGS/2GdQc0dSTQ -> ssh-ed25519 b3HlPA Z01OXca+e/XNFR0V9hPlCMZaQUdmbDfIqhQvLSfF5is
EG+h6L5v/KW3miD4Hy4goco2e507GOZKsHCE2kT5ERQ bjPwLeKSzatDDIjAaKh1q4ZdgEvHB82EyC4hSzS4qXE
-> ssh-ed25519 cdUqUg FNFD1htaxYDyhn/xBg1l/WnAytplKlzPWWI5zu7ntVc -> ssh-ed25519 cdUqUg 97W5cmHE/PS0MAlel2MDdzYJVinRVxBkigbV+c/xLRk
1IsEr/7H5fdtJII39pkktikJ/qwUn2eZ+/BowOVwkDo UyMUJYb+782FZEbuCcn4xj62bCLaYSBLD5714xpQN4c
--- tcg5/OhNjGKdd4nIYE1o5z6tY4W/eoA4OjgNvdFi4gM -> ssh-ed25519 a1hgwg +kQW6lvFa/sTuU91My1NepIasAFnscjluc3z3zyHWws
ßz<걶îK4µÑåó ÖõšÏ'`®®¡ÉÁ>ý 2T®—àOuðÎjç*B°2.pTt\ rx/jQxCiC6sjGeXYeZcW0+UxkQr8uHNJKCGPxvH9GqQ
¿´¿ XÃìÀ@©ê×¼}MU3÷^ú{ªB¸4—ÛÁj=éð©]ýAf˜ÈÜì«8ιSQ}$0Š<30>°€;¤ ±â --- VGD7NEIKcPMDhDKCGXKP+kXXf1YIPIK/y64k5e4YFTs
bw¾XÁm Ÿws hF1É­+‡ZÜ }LY ZÝ<5A>¯fg³°¹q]̃tüxÊÛ¯¹õ`„¶Üw)—Y%uÚãåÅ^_v8QZfìq­u<C2AD>:¹¶g1 VÛþ!í–Â’»A[€€Çöe{TnÕ -f×

BIN
secrets/navidrome.age
View file

Binary file not shown.

BIN
secrets/rustypaste.age
View file

Binary file not shown.

3
secrets/secrets.nix
View file

@ -3,6 +3,7 @@ let
marr = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILMh2nUUKt3xsKiwZUuo6HgvR3lr7rRAl0SOH/502sFP"; marr = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILMh2nUUKt3xsKiwZUuo6HgvR3lr7rRAl0SOH/502sFP";
brontes = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICgknH3OPazZNhH5xkYfXBcYpI3TXj/eRp0/zzjtVJBf"; brontes = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICgknH3OPazZNhH5xkYfXBcYpI3TXj/eRp0/zzjtVJBf";
shan = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPnASO1+h9tUYsNrsePcmxFLpKBkyCXbcZB9W7f5Yt5U"; shan = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPnASO1+h9tUYsNrsePcmxFLpKBkyCXbcZB9W7f5Yt5U";
ny = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMvPqWPXEUOSMGMIRmirQfbrzq//NkPlEI2TmFpIkSfw";
devices = [ devices = [
marr marr
raptus raptus
@ -12,7 +13,7 @@ let
in in
{ {
"couchdb.age".publicKeys = devices; "couchdb.age".publicKeys = devices;
"rustypaste.age".publicKeys = devices; "rustypaste.age".publicKeys = devices ++ [ ny ];
"navidrome.age".publicKeys = devices; "navidrome.age".publicKeys = devices;
"adguard-dns-list.age".publicKeys = devices; "adguard-dns-list.age".publicKeys = devices;
} }